Blackfield Exploitation HackTheBox

7 min readMar 4, 2021

Blackfield is a windows box which was majorly testing on enumeration skills while giving you the taste of real life situations like misconfigurations, that could heavily cost an organization. The following were the key take aways;

rpc and smb enumeration
Local Security Authority Subsystem Service (LSASS) exploitation
Ntds exploitation
leveraging on tools like mimikatz and secretdump
privilege user accounts exploitation

ENJOY

Part 1: Initial Enumeration

(i) nmap
Several interesting ports are available for further enumeration as observed from the result

(ii) Smb Enumeration on port 445

smbclient -L //10.10.10.192 -N

The following shares were available, however, only profiles$ share was accessible

smbclient //10.10.10.192/profiles$ -N

Some Interesting folders found were discovered here, and they seemed to be named after user accounts. The next step was copying these names in a text file, then checking the content of the folders using “recurse” command. Following after with “dir” (to show directories of each user) but all directories were empty

Since now we had a list users, the next step was using ->impackets-getnpusers.py. This is a very useful tool that requests As-rep tickets, but why would the Domain Controller just hand over the tickets? because this script will attempt to list and get TGTs for those users that have the property: ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH).
Another question is, why would this flag be set for an account if it will expose the account to an attack? after research the conclusion was Legacy Systems. That’s the only time this flag would be set if these are older systems which are unable to support kerberos authentication to AD.
For further reading on kerberos preauth, click on the link below http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm#UF_DONT_REQUIRE_PREAUTH So moving on to using the badboy script(getnpusers.py), A tgt ticket was found for user support account

python3 GetNPUsers.py BLACKFIELD.local/ -usersfile /home/osboxes/boxes/blackfield/user.txt -dc-ip 10.10.10.192

After getting the hash above, hash cat was used to crack it using the command below

hashcat -a 0 -m 18200 hash.txt /usr/share/wordlists/rockyou.txt

user:support password:#00^BlackKnight
So using the credentials above, rdp to the machine was attempted but it was not possible maybe because the account was not a member of the remote access group.
The next option was using rpcclient for further enumeration The following article comes in handy https://bitvijays.github.io/LFF-IPS-P3-Exploitation.html . The reset password commands were used.

The password for users with AdminCount = 1 (Domain Admins and other higher privileged accounts) was not be able to be changed, however users having alternate admin accounts could easily be the targets The number 23 came from MSDN article USER_INFORMATION_CLASS. The SAMPR_USER_INTERNAL4_INFORMATION structure holds all attributes of a user, along with an encrypted password.
Lets try changing password of account audit2020 and yes we can

Part 2: Getting Initial Access To the machine
By accessing the smb share ‘audit’ using the account audit2020 above, lsass.zip was found.
But what is LSASS — Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. so this can be leveraged by an attacker to get passwords of users

Downloaded the file to my local machine

A useful tool for getting clear passwords from lass memory dump is mimikatz. Switched to a windows vm ,extracted the zip file then downloaded the mimikatz exe from https://github.com/gentilkiwi/mimikatz/releases Running mimikatz opens this terminal on cmd.

The following command was run

sekurlsa::minidump lsass.dmp

then

sekurlsa::logonPasswords full

and svc_backup account hash(9658d1d1dcd9250115e2205d9f48400d) was found, then using evilwinrm, logged in using the above credentials and Voila!we have the user flag.

Part 3: Privilege Escalation
After getting the user svc_backup, the next thing is enumerating the environment for clues
Further enum through;
a] manually looking around
A txt file was found on the C: directory and in it was a clue, that the user could backup and restore things.

b] whoami /priv
To verify these claims, whoami /priv was used to check the user’s privileges and it was true, the user could actually do backup and restore things.

c] tools
All tools needed were uploaded

–>WinPeas
On running winpeas.exe, the executable disappered. This wasn’t so clear why at this point.
–>SharpHound
On this second tool, the following commands were ran

Powershell -exec bypass

Import-module SharpHound.ps1

As you can see in the above image, sharphound was blocked by the antivirus , this explains the sudden disappearnace of the winpeas.exe as well.
–>Powerup
On this third tool, the following commands were ran

Import-Module ./powerup.ps1

Invoke-AllChecks

As you can see above, the user can backup and restore things. After an online search on attack vectors on these, it led me to the following links;
https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf
https://docs.datacore.com/WIK-WebHelp/VSS/DiskShadow_Commands_Example.htm
From the two links above, came up with the following script

set context persistent nowriters#

add volume c: alias new1#

create#

expose %new1% z:#

The script was then uploaded to the server

Then the script was ran using the command below.

cmd /c diskshadow /s script.txt

The shadow copy was successfully created and exposed as partition ‘Z’

The next thing was to find ntds and copy it to tmp folder. Why is ntds file important? The Ntds. dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
So first uploading two dlls
SeBackupPrivilegeCmdLets.dll
SeBackupPrivilegeUtils.dll
which can be found here https://github.com/giuliano108/SeBackupPrivilege then importing them

The reason why we used these two dlls was based on the constant that, if you want to read/copy data out of a “normally forbidden” folder, you have to act as a backup software. Using the function below, we simulated a backup software,,however you are required to have the privileges to perform that task

Copy-FileSeBackupPrivilege z:\windows\ntds\ntds.dit c:\tmp\ntds.dit

After the above was successfully executed, ran the following commands from the tmp folder, which extracted the system.hive and sam.hive files from the backed up ntds.dit files

reg save HKLM\SYSTEM c:\tmp\system.hive

reg save HKLM\SAM c:\tmp\sam.hive